b'                                 U.S. SMALL BUSINESS ADMINISTRATION\n                                     OFFICE OF INSPECTOR GENERAL\n\n\n\n                                                                                  ADVISORY MEMORANDUM\n                                                                                        REPORT NO. 12-15\n\n\nDATE:            July 16, 2012\n\nT O:             Eric Won\n                 Chief Information Officer\n\nSUBJECT:         Weaknesses Identified During the FY 2011 Federal Information Security Management\n                 Act Review\n\nThe purpose of this memorandum is to report risk areas requiring management follow-up as a result of\nour most recent Federal Information System Management Act (FISMA) review. The act requires Office\nof Inspectors General (OIG) to perform annual independent evaluations of their agency\xe2\x80\x99s information\nsecurity program and practices to determine their effectiveness.\n\nTo determine SBA\xe2\x80\x99s compliance in these areas, the OIG contracted with Independent Public Accountant\n(IPA), KPMG, to perform the audit procedures relating to FISMA. The IPA interviewed SBA personnel,\ninspected documentation, and tested the effectiveness of SBA\xe2\x80\x99s Information Technology (IT) security\ncontrols. The OIG monitored the IPA\xe2\x80\x99s work and reported the SBA\xe2\x80\x99s compliance with FISMA with the\nAgency FISMA filings on November 4, 2011.\n\nThe OIG\xe2\x80\x99s Fiscal Year 2011 review found that significant improvements were needed in critical computer\nsecurity areas in order for the SBA to fully meet the requirements set forth in FISMA and Office of\nManagement and Budget (OMB) Circular A-130.1 We performed additional fieldwork between\nNovember 2011 and March 2012 to further clarify issues and recommend corrective actions. This work\nwas performed in accordance with Generally Accepted Government Auditing Standards, prescribed by\nthe Comptroller General of the United States. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nThe results of our review showed that the Office of Chief Information Officer (OCIO) needs to prioritize\nremediation of IT security vulnerabilities identified in prior audits. Furthermore, the OCIO also needs to\nperform recertification reviews of its general support system\xe2\x80\x99s end users and monitor remote access\nlogs for unauthorized activity. We are re-issuing a prior year recommendation relating to the OCIO\xe2\x80\x99s\noversight of its IT Security Contractor.\n\n\n\n1\n    Management of Federal Information Resources\n\n                                                     1\n\x0cTo prevent future degradation of its security environment, the SBA needs to immediately undertake\nremediation actions to establish practices which will ensure effective oversight of potential security risks\nand resolve outstanding audit recommendations.\n\nWe request that you provide your management decision for each recommendation on the attached SBA\nForm 1824, Recommendation Action Sheet, 8/15/2012 (30 days after final report date). Your decision\nshould identify the specific actions taken or planned for each recommendation and the target dates for\ncompletion.\n\n                                                        ***\n\n\nBackground\n\nThe Federal Information Security Management Act (FISMA) requires federal agencies to develop,\nimplement, and report on the effectiveness of the agency\xe2\x80\x99s information security program. For Fiscal\nYear(FY) 2012, the OIG was required to report on the following 11 areas: 1) risk management; 2)\nconfiguration management; 3) incident response and reporting; 4) security training; 5) plan of actions\nand milestones; 6) remote access management; 7) identity and access management; 8) continuous\nmonitoring management; 9) contingency planning; 10) contractor systems; and 11) security capital\nplanning.\n\n\nResults\n\nThe SBA Continues to Subject Itself to Risks through Unresolved IT Recommendations\n\nUnresolved audit recommendations left SBA\xe2\x80\x99s IT security posture vulnerable to external and internal\nthreats. Our review of outstanding recommendations in the FISMA controls areas showed that 30 OIG\naudit recommendations remained open as of January 2012. 2\n\nThe OMB Circular A-50, on audit follow-up, states that agencies\xe2\x80\x99 audit follow-up system must require\nprompt resolution and corrective actions on audit recommendations. Further, resolutions shall be made\nwithin six months and corrective actions should be implemented as soon as possible. The SBA\xe2\x80\x99s\nStandard Operating Procedures (SOP), Audit Follow-up System, requires program offices to complete\nthe implementation of recommendations within a year of management and the OIG\xe2\x80\x99s agreement on the\nplan.\n\nAs of January 2012, there were 30 open OIG audit recommendations in the FISMA controls areas.\nOne of these recommendations dated back to the OIG\xe2\x80\x99s audit of SBA\xe2\x80\x99s FY 2006 financial statements.\nThis occurred mainly due to the lack of timely implementation of the recommendations directly relating\nto FISMA reporting areas. As a result, these unresolved IT recommendations left SBA\xe2\x80\x99s systems\nvulnerable to external and internal threats. The underlying conditions that require correction in the\nopen audit recommendations are integral to the SBA complying with FISMA guidance.\n\n\n2\n    This number does not include four open recommendations that were repeated over multiple fiscal years.\n\n                                                         2\n\x0cA complete listing of each outstanding recommendation and its particular status can be found in\nAppendix 1. A summary of the recommendations by reporting area and date the corrective action was\nfirst recommended is included below:\n\n\n       Risk Management\n       The oldest outstanding OIG recommendation in this category was issued on January 28, 2011.\n       There are three outstanding recommendations pertaining to:\n               SBA Certification and Accreditation\n               System interconnections\n\n       Configuration Management\n       The oldest outstanding OIG recommendation in this category was issued on November 12, 2010.\n       There are five outstanding recommendations from two audits pertaining to:\n               Configuration management policies and procedures\n               Baseline configurations\n               Inventory\n\n       Incident Response and Reporting\n       The oldest outstanding OIG recommendation in this category was issued on November 14, 2011.\n       There are two outstanding recommendations pertaining to:\n               Vulnerability assessment\n               Incident management\n\n       Security Training\n       The oldest outstanding OIG recommendation in this category was issued on November 12, 2010.\n       There is one outstanding recommendations pertaining to:\n               Training and monitoring\n\n       Plan of Action and Milestones (POA&M)\n       The oldest outstanding OIG recommendation in this category was issued on January 28, 2011.\n       There is one outstanding recommendations pertaining to:\n               POA&M reporting tool compliance\n\n       Remote Access Management\n       The oldest outstanding OIG recommendation in this category was issued in this report.\n       There is one outstanding recommendations pertaining to:\n               Log monitoring\n\n\n\n\n                                                 3\n\x0c       Identity and Access Management\n       The oldest outstanding OIG recommendation in this category was issued on November 15, 2006.\n       There are ten outstanding recommendations issued in four previous audit reports and one\n       outstanding recommendation issued in this report pertaining to:\n               Segregation of duties\n               End user authentication\n               Account management\n               Least privilege\n\n       Continuous Monitoring Management\n       The oldest outstanding OIG recommendation in this category was issued on November 12, 2010.\n       There are three outstanding recommendations from two audit reports pertaining to:\n               Log monitoring\n               Vulnerability tracking and monitoring\n               Vulnerability management processes\n\n       Contingency Planning\n       The oldest outstanding OIG recommendation in this category was issued on January 28, 2011.\n       There are three outstanding recommendations from two audit reports pertaining to:\n               Planning and testing\n               Alternate storage site\n\n       Contractor Systems\n       The oldest outstanding OIG recommendation in this category was issued on January 28, 2011.\n       There is one outstanding recommendations pertaining to:\n               Background investigations\n\n       Security Capital Planning\n       There are currently no outstanding recommendations for Security Capital Planning\n\nRecommendation\n\nWe recommend that the Chief Information Officer:\n\n   1. Develop an overall strategy to timely implement audit recommendations issued by the OIG\n      relating to FISMA security requirements.\n\n\n\n\n                                                   4\n\x0cThe SBA Has Not Fully Implemented Security Practices Outlined in Its IT Security Assistance\nContract\n\nThe SBA has a number of tasks in its IT security assistance contract with Glacier Technologies which are\nnot being performed. This finding was identified during our last review of FISMA and is being re-issued\ndue to incomplete implementation.\n\nThe SBA entered into an IT security assistance contract with Glacier Technologies to provide: 1) project\nmanagement; 2) general information security support; 3) certification and accreditation; 4) audits; 5)\nFISMA reviews and analyses; 6) disaster recovery and contingency planning; 7) security operations and\nvulnerability assessment; 8) information privacy support; 9) incident response management; and 10) risk\nmanagement.\n\nWe found that the SBA has not required the IT security assistance contractor to perform four specific\ntasks outlined in the contract:\n\n                Configuration Management \xe2\x80\x93 The contractor is to conduct configuration management\n                and maintain configuration control of all SBA IT resources to include operating system\n                and application system updates, revisions and patches.\n\n                According to OCIO officials, configuration management was outside of the responsibility\n                of the security assistance contractor since these services were provided by a different\n                vendor. However, the establishment and monitoring of baseline configurations are\n                FISMA reporting requirements and the contractor is responsible for maintaining\n                configuration control according to their contract.\n\n                Threat Analysis of Engineering Change Requests \xe2\x80\x93 The contractor is to perform threat\n                analyses of SBA Engineering Change Requests.\n\n                The OCIO stated that SBA\xe2\x80\x99s Enterprise Change Control Board performed the threat\n                analysis of SBA engineering change requests. Further, the security assistance contractor\n                did not perform threat assessments. However, threat analysis is needed on change\n                requests as part of documenting and testing. The testing of change requests which\n                affect system baseline configurations is a FISMA reporting requirement under\n                Configuration Management.\n\n                Software Application Security \xe2\x80\x93 The contractor is to ensure software application\n                security.\n\n                The OCIO stated that the security assistance contractor performed vulnerability scans of\n                only internal applications. However, an application security program should also include\n                continuous monitoring of baseline configurations for all internal and external major\n                applications.\n\n                The monitoring of contractor baselines is a FISMA reporting requirement under\n                Configuration Management and Continuous Monitoring Management.\n\n\n\n                                                    5\n\x0c                Review and prepare responses to Interagency Security Agreements \xe2\x80\x93 The contractor is\n                to review and prepare responses to Interagency Security Agreements (ISA), Memoranda\n                of Agreement (MOA), and Memoranda of Understanding (MOU).\n\n                The OCIO stated that it has the responsibility to finalize ISAs, MOAs, and MOUs.\n                These documents specify security controls used to protect SBA systems and data,\n                documents the terms and conditions for sharing data, and defines the purpose of the\n                interconnection. The security assistance contractor can perform the preliminary\n                documentation relating to the ISA, MOA, and MOU. The lack of fully utilizing a contract\n                whereby the contractor receives full remittance for services, which should be performed\n                under the terms of the contract, prevents SBA from receiving the full value of its\n                contract capabilities.\n\nRecommendation\n\nWe recommend that the Chief Information Officer:\n\n    2. Perform continuous quality assurance reviews of deliverables and quarterly reviews of IT\n       security contractor performance to ensure all applicable areas of OMB and National Institute of\n       Standards and Technology (NIST) compliance criteria are met.\n\nThe SBA has Not Recertified Its Network Users in Compliance with NIST Guidance\n\nThe IPA determined that SBA\xe2\x80\x99s Local Area Network/Wide Area network (LAN/WAN) general support\nsystem had not had its user population reviewed or recertified for appropriate levels of access to the\nnetwork within the past year. The timely recertification of network users is necessary to ensure that\nindividuals have the appropriate level of access to the network.\n\nThe NIST\xe2\x80\x99s Recommended Security Controls for Federal Information Systems requires that, for access\ncontrol and account management purposes, accounts should be reviewed at an organization-defined\nfrequency. This review should update the accounts of authorized users to ensure that individuals have\nthe appropriate level of access to the network. Further, it ensures that personnel with high-level\nprivileges still have a need for the elevated level of access to perform their duties.\n\nThe SBA did not review and recertify its user population, including highly privileged users, to its general\nsupport systems for appropriate access within the past year. As a result, SBA systems were vulnerable\nto personnel having a greater level of access than needed and possibly performing duties for which they\nwere not authorized to perform.\n\nRecommendation\n\nWe recommend that the Chief Information Officer:\n\n    3. Perform periodic recertification reviews of end-users in agency general support systems to\n       ensure that users are authorized and have current access privileges. Alternatively, design\n       compensating controls for recertification for end-users of general support systems.\n\n\n                                                     6\n\x0cRemote Access Audit Logs Were Not Reviewed for Unauthorized Activity\n\nThe SBA remains at risk of not timely detecting unauthorized access to computer networks. The SBA\xe2\x80\x99s\nSOP, Automated Information System Security Program, requires system administrators and database\nadministrators to review and analyze audit logs at least weekly to identify unauthorized user activity and\nsystem errors. According to OCIO officials, the SBA did not review its Virtual Private Network (VPN)\naudit logs for unauthorized activity within the past year. This leaves the systems vulnerable to\nindividuals trying to penetrate the network through the SBA\xe2\x80\x99s current remote access protocols and\ngaining unauthorized access to SBA\xe2\x80\x99s network and financial systems.\n\nRecommendation\n\nWe recommend that the Chief Information Officer:\n\n    4. Continuously monitor remote access audit logs for potential unauthorized activity.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nOn June 5, 2012, we provided a draft of this report to the Chief Information Officer. On June 22, 2012,\nthe Office of Inspector General received SBA\xe2\x80\x99s comments. A summary of management\xe2\x80\x99s comments and\nour response follows.\n\nAgency Comments\n\nThe CIO agreed to the accuracy of the current and prior year recommendations, provided updates on\nstatuses, and adjusted closure dates. The OCIO closed one recommendation since the completion of the\nOIG\xe2\x80\x99s fieldwork and stated that they were working hard to remediate the remaining open findings.\n\nAdditionally, the CIO stated that configuration management is being performed by the Office of\nCommunications and Technology Services and they are in the process of having the item removed from\ntheir security assistance contract.\n\nOIG Response\n\nWe found that the OCIO concurred with our findings and recommendations. Included in the OCIO\xe2\x80\x99s\nresponse were revised completion dates of outstanding audit recommendations referenced in\nAppendix I.\n\nActions Required\n\nPlease provide your management decision for each recommendation on the attached SBA Forms 1824,\nRecommendation Action Sheet, within 30 days from the date of this report. Your decision should\nidentify the specific action(s) taken or planned for each recommendation and the target date(s) for\ncompletion.\n\nWe appreciate the courtesies and cooperation of the Small Business Administration during this audit.\n\n\n                                                    7\n\x0cIf you have any questions concerning this report, please call me at (202) 205-7390 or Jeff Brindle,\nDirector, IT and Financial Management Group at (202) 205-7490.\n\n\n\n                                                   ***\n\n\n/S/ original signed.\nJohn K. Needham\nAssistant Inspector General for Auditing\n\n\n\n\n                                                    8\n\x0cAppendix I: Open Current and Prior Year FISMA Recommendations\n\nFISMA Open Recommendations Relating to our Department of Homeland Security Cyber-Scope\nEvaluation (All recommendations are to the Chief Information Officer unless otherwise noted)\nRisk Management \xe2\x80\x93 The organization develops and implements a comprehensive strategy to manage risk to IT\norganizational operations and assets.\n\n         Update the list of Major Systems to include all the interfaces between each system and all other systems and\n         networks, including those not operated by, or under the control of the agency and obtain written\n         Interconnection Security Agreements for every SBA system that has an interconnection to another system.\n         Recommendation Closure was due 9/30/2011.\n\n         Establish a program at SBA to manage, control and monitor system interconnections throughout their\n         lifecycle. The program should encompass planning, establishing, maintaining and terminating system\n         interconnections, including enforcement of security requirements. Recommendation Closure was due\n         9/30/2011.\n\n         Revise the SBA Certification and Accreditation Program Description procedural document to reflect the risk\n         management framework approach established in NIST SP 800-37, Rev.1 and the current POA&M process.\n         Recommendation Closure was due 6/30/2011.\n\nConfiguration Management \xe2\x80\x93 The organization develops minimally acceptable system configuration requirements to\nensure a baseline level of security for its IT operations and assets.\n\n         Develop configuration management policies and procedures that address purpose, scope, roles,\n         responsibilities, management commitment, coordination among organizational entities, and compliance.\n         Recommendation Closure was due 9/30/2011.\n\n         Develop and maintain a centralized inventory of all agency hardware and software. Recommendation Closure\n         was due 9/30/2011.\n\n         Develop and document baseline configurations for each information system and maintain the baseline under\n         configuration control. Recommendation Closure was due 9/30/2011.\n\n         Implement configuration management policies and procedures for document retention (to include\n         supporting evidence) to validate the authorization of operating system changes. Recommendation closure is\n         due 9/28/2012.\n\n         Enforce an organization-wide configuration management process, to include policies and procedures for\n         maintaining documentation that supports testing and approvals of software changes. This recommendation\n         was reported in audits of SBA\xe2\x80\x99s financial statement for FY 2010 and FY 2011. The original recommendation\n         closure was due 4/30/2011.\n\n\n\n\n                                                             9\n\x0cIncident Response and Reporting \xe2\x80\x93The organization establishes an incident handling capability as well as tracking,\ndocumenting and reporting incidents to appropriate authorities.\n\n         Update the vulnerability assessment team (VAT) procedures, to include: (a) updating the VAT policies and\n         procedures in accordance with NIST, (b) performing technical reviews of the results for critical issues that\n         need immediate action and take timely corrective action, (c) executing procedures to monitor the completion\n         of the patch management deployment across the SBA enterprise, and (d) prioritizing vulnerabilities as part of\n         the ongoing continuous monitoring process. Recommendation closure was due 3/31/2012.\n\n         Coordinate with SBA program offices to fully implement the SBA entity wide incident management and\n         response program and ensure that procedures are enforced. Recommendation closure was due 2/29/2012.\n\nSecurity Training \xe2\x80\x93 The organization ensures that users of information systems are aware of IT security risks,\ncompliance with applicable laws and regulations, and that personnel are trained in their security-related\nresponsibilities.\n\n         Develop a comprehensive security education and training program for all IT security personnel and a method\n         for monitoring the training program. This recommendation was reported in audits of SBA\xe2\x80\x99s financial\n         statement for FY 2010 and FY 2011. The original recommendation closure was due 6/1/2011.\n\nPlan of Actions and Milestones (POA&M) \xe2\x80\x93 The organization implements plans of action designed to correct\ndeficiencies and reduce or eliminate vulnerabilities in information systems.\n\n         Modify the POA&M reporting tool to comply with the requirements set forth in OMB Memorandum 04-25.\n         Recommendation closure was due 4/30/2011.\n\nRemote Access Management \xe2\x80\x93 The organization documents allowed methods of remote access, establish usage\nrestrictions, and monitor for unauthorized remote access.\n\n         Continuously monitor remote access audit logs for potential unauthorized activity. (Current Year FISMA\n         Review Recommendation)\n\n\n\n\n                                                               10\n\x0cIdentity and Access Management \xe2\x80\x93 The organization identifies and authenticates system users, and limits system users\nto the information, functions, and information systems those users are authorized to operate.\n\n         Prevent users from anonymously connecting unauthorized devices by developing and implementing\n         procedures to ensure mandatory domain authentication for IP address issuance. This recommendation was\n         reported in audits of SBA\xe2\x80\x99s financial statement for FY 2010 and FY 2011. The original recommendation closure\n         was due 4/15/2011.\n\n         Coordinate with SBA program offices to ensure users access rights are authorized prior to gaining access to\n         financial systems. Recommendation closure was due 3/30/2012.\n\n         Coordinate with SBA program offices to develop and implement procedures for user access reviews to ensure\n         that the proper access rights are set for financial subsystems. This recommendation was reported in audits of\n         SBA\xe2\x80\x99s financial statement for FY 2010 and FY 2011. The original recommendation closure was due 4/29/2011.\n\n         Oversee the review and validation of financial system accounts on a quarterly basis. Recommendation\n         closure is due 4/30/2012.\n\n         Enforce financial system password controls for System Administrators and Database Administrators and\n         physical access controls in accordance with SBA SOP 90.47.2. Recommendation closure was due 3/18/2011.\n\n         The Chief Operating Officer in conjunction with program offices, document and implement segregation of\n         duty policies and procedures for LAS. Recommendation closure was due 12/15/2010.\n\n         The Chief Operating Officer in conjunction with appropriate program officials should ensure that policies are\n         implemented regarding segregation of duties for FRIS, JAAMS, DCMS, and LAS. Recommendation closure was\n         due 6/30/2011.\n\n         Perform periodic recertification reviews of end-users in agency general support systems to ensure that users\n         are authorized and have current access privileges. Alternatively, design compensating controls for\n         recertification for end-users of general support systems. (Current Year FISMA Review Recommendation)\n\n         Restrict access to software program libraries based on the principle of least privilege, and implement\n         compensating controls over actions where limited resources cause individuals to perform conflicting job\n         functions. Recommendation closure is due 6/30/2012.\n\n\n         Ensure that database administrators and system administrator access is restricted through role-based\n         segregation of duties and managed through an effective audit log review process. Recommendation closure\n         is due 6/30/2012.\n\n\n\n\n                                                             11\n\x0cContinuous Monitoring Management \xe2\x80\x93 The organization establishes a continuous monitoring capability for\nconfiguration control as well as performing ongoing security assessments of the information system.\n\n         Implement a process to review the audit logs of all financial applications on a regular basis. Oversee the\n         review and validation of financial system accounts on a quarterly basis. Recommendation closure was due\n         3/30/2012.\n\n         Improve the vulnerability tracking and monitoring process to fully address high and medium risk\n         vulnerabilities for key financial systems. Ensure that the vulnerability reports are reviewed and analyzed on a\n         regular basis. Periodically monitor the existence of necessary services and protocols running on servers and\n         network devices. Develop a more thorough approach to track and mitigate patch management and\n         configuration management vulnerabilities identified during monthly scans. Recommendation closure was due\n         4/30/2011.\n\n         Enhance security vulnerability management processes. Specifically, SBA should: (a) redistribute procedures\n         and train employees on the process for reviewing and mitigating security vulnerabilities, (b) periodically\n         monitor the existence of unnecessary services and protocols running on their servers and network devices, (c)\n         perform vulnerability assessments with administrative credentials and penetration tests on all SBA offices\n         from a centrally managed location with a standardized reporting mechanism that allows for trending, on a\n         regularly scheduled basis in accordance with National Institute of Standards and Technology (NIST) guidance,\n         (d) develop a more thorough approach to track and mitigate configuration management vulnerabilities\n         identified during monthly scans, and (e) monitor security vulnerability reports for necessary or required\n         configuration changes to their environment. Recommendation closure was due 3/31/2012.\n\nContingency Planning \xe2\x80\x93 The organization implements plans for emergency response, backup operations, and post-\ndisaster recovery for organizational information systems.\n\n         Develop and test system disaster recovery plans for all of SBA\xe2\x80\x99s major systems at least annually and initiate\n         any necessary corrective actions based on test results. Recommendation closure was due 7/30/2011.\n\n         Enforce existing SBA policies to rotate backups off-site. Recommendation closure is due 4/30/2012.\n\n         Coordinate with the Chief Financial Officer to create, implement, and test system specific and the\n         Headquarter Continuity of Operations Plan. Recommendation closure is due 7/30/2012.\nContractor Systems \xe2\x80\x93 The organization ensures that its contractors abide by FISMA requirements.\n\n          Enforce SOP 90-47 2 requirements for contractor background investigations and perform periodic reviews to\n          ensure that SBA contractors have completed the clearance process prior to accessing sensitive information.\n          Recommendation closure was due 5/30/2011.\nSecurity Capital Planning \xe2\x80\x93 The organization ensures that the resources needed to implement the IT security program\nare available for expenditure as planned.\n\n         No current recommendations exist for Security Capital Planning.\n\n\n\n\n                                                              12\n\x0cPrior Coverage\nMultiple audits and reviews have been conducted between 2003 and 2011 related to FISMA.\nThe OIG reports used in this audit, which can be accessed at http://www.sba.gov/office-of-inspector-\ngeneral include:\n\n        Audit of SBA\xe2\x80\x99s FY 2011 Financial Statements \xe2\x80\x93 Management Letter, November 14, 2011, Report\n        Number 12-02\n        OIG FISMA Report 11-06\xe2\x80\x94Weakness Identified During the FY 2010 Federal Information Security\n        Management Act Review, Report Number 11-06.\n        Audit of SBA\xe2\x80\x99s FY 2010 Financial Statements \xe2\x80\x93 Management Letter, December 15, 2010, Report\n        Number 11-03.\n        Audit of SBA\xe2\x80\x99s FY 2008 Financial Statements \xe2\x80\x93 Report Number 09-03.\n        Audit of SBA\xe2\x80\x99s FY 2006 Financial Statements \xe2\x80\x93 Report Number 07-03.\n\n\n\n\n                                                  13\n\x0cAppendix II: Agency Comments\n\n\n\n\n                         U.S. SMALL BUSINESS ADMINISTRATION\n                          OFFICE OF THE CHIEF INFORMATION OFFICER\n\n\n\n\nDATE:       June 21, 2012\n\nTO:         John K. Needham\n            Assistant Inspector General for Auditing\n\nSUBJECT: Response \xe2\x80\x93 Weaknesses Identified During the FY2011 Federal Information\n         Security Management Act (FISMA) Review\n\nThe purpose of this memorandum is to provide a response to the Office of Inspector General\xe2\x80\x99s\nmemorandum regarding FY 2011 FISMA weaknesses.\n\nThe following written comments are submitted for your review and acceptance.\n\n   Page 5, bullet 1 and Page 4, Recommendation 1\n   The Glacier contract is in the process of being modified to remove the Configuration\n   Management task that the contractor is not required to perform. This task is covered under\n   the Office of Communications and Technology Services.\n\n   Pages 8-11, Appendix I: Open Current and Prior Year FISMA Recommendations\n   The Open Current and Prior Year FISMA recommendations are still accurate. However,\n   OCIO is diligently working to remediate the open findings. The following response includes\n   proposed adjusted closure dates for your review and acceptance.\n\nWe appreciate the opportunity to comment and look forward to reviewing the final action\nmemorandum.\n\n\n\n\n/s/ Original Signed\nEric Won\nSBA Chief Information Officer\n\n\n\n\n                                              14\n\x0c'